Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.
This article will show you how to assign rights on a user of your choice via Custom LDAP ACLs for managing domain users and groups.
First of all, install the package univention-custom-ldap-acls from the Cool Solutions repository via the command
The package should create some new UCR variables. Check these with the following command:
ucr search --brief ldap/acls
You should see these variables:
ldap/acls/custom/univentionCustomACLReferenceGroupModify/attrs: uniqueMember,memberUid ldap/acls/custom/univentionCustomACLReferenceGroupModify/create: no ldap/acls/custom/univentionCustomACLReferenceGroupModify/description: Edit groups ldap/acls/custom/univentionCustomACLReferenceGroupModify/filter: objectClass=univentionGroup ldap/acls/custom/univentionCustomACLReferenceUserCreate/create: yes ldap/acls/custom/univentionCustomACLReferenceUserCreate/description: Edit user ldap/acls/custom/univentionCustomACLReferenceUserCreate/filter: objectClass=posixAccount
After that, switch to the Univention Management Console and open the LDAP directory module. Expand the tab univention and search for custom attributes → LDAP ACLs
You will find the two custom attributes groups-modify and users-create. Make sure that they have the following settings:
Unique name: <users-create or groups-modify> Short description: Create user
Modules to be extended: "Container: Container" Modules to be extended: "Container: Organizational Unit"
LDAP object class: univentionCustomACLReferences LDAP attribute: univentionCustomACLReferenceUserCreate Remove object class if the attribute is removed: (check this box)
Ordering number: 1 Tab name: authorization
Syntax class: userDn Multi value: (check this box) Editable after creation: (check this box)
The next step is to give the users of your choice the authorization over the users container in the LDAP directory module. Go to the LDAP directory and edit the container via right click → Edit and move to the tab authorization. Now you can add one or more users with their DNs. To find out the DN of a specific user execute the following command in the command line while replacing with the username of the user:
univention-ldapsearch uid=<username> | grep ^dn
The output should be something as the follows:
Now you can copy the output, except for the "dn: ", into the text field in the Authorization tab and click on Save.
The next step is to give the users of your choice the permission to access the Users and the Groups module after logging in. Go to the Users module and open the user, that you placed in the authorization field. Move to the tab Policies and open Policy: UMC. Create a new policy and name it “edit-user”. Choose “UDM - Users (udm-users)” as an allowed UMC operation and create another new entry in the same policy, where you choose “UDM - Groups (udm-groups)” as an allowed UMC operation. Save the settings.
Now the user should be able to access the Users and Groups module via the UMC.
To grant the user of your choice the permission to create a user, set the following UCR variables:
ucr set ldap/acls/custom/univentionCustomACLReferenceGroupModify/create="yes" ucr set ldap/acls/temporary_objects/groups="<DN of the group of your user>"
You can find out about the group DN of your user by running
udm users/user list --filter uid=<username> | grep primaryGroup
Finally edit the container groups and temporary (you can find it below the container “univention”)of the LDAP directory. You can simply follow the instruction of the section “Editing container” again. Make sure the DN of your users is in the text field “editing user” and “editing groups”.
After that, execute the following command to restart your LDAP server:
systemctl restart slapd
Now the users of your choice will be able to create users or manage groups.